This invention relates to cryptographic communications systems. More particularly, this invention relates to the secure generation, certification, storage and distribution of cryptographic keys used in cryptographic communications systems. Still more particularly, this invention relates to a system of cryptographic key escrow and public-key certificate management enforced by a self-certifying chip device.
The development and proliferation of sophisticated computer technology and distributed data processing systems has led to a rapid increase in the transfer of information in digital form. This information is used in financial and banking matters, electronic mail, electronic data interchange and other data processing systems. Transmission of this information over unsecured or unprotected communication channels risks exposing the transmitted information to electronic eavesdropping or alteration. Cryptographic communications systems preserve the privacy of these transmissions by preventing the monitoring by unauthorized parties of messages transmitted over an insecure channel. Cryptographic communications systems also ensure the integrity of these transmissions by preventing the alteration by unauthorized parties of information in messages transmitted over an insecure channel. The cryptographic communications systems can further ensure the integrity and authenticity of the transmission by providing for recognizable, unforgeable and document-dependent digitized signatures that can prevent denial by the sender of his own message.
Cryptographic systems involve the encoding or encrypting of digital data transmissions, including digitized voice or video transmissions, to render them incomprehensible by all but the intended recipient. A plaintext message consisting of digitized sounds, letters and/or numbers is encoded numerically and then encrypted using a complex mathematical algorithm that transforms the encoded message based on a given set of numbers or digits, also known as a cipher key. The cipher key is a sequence of data bits that may either be randomly chosen or have special mathematical properties, depending on the algorithm or cryptosystem used. Sophisticated cryptographic algorithms implemented on computers can transform and manipulate numbers that are hundreds or thousands of bits in length and can resist any known method of unauthorized decryption. There are two basic classes of cryptographic algorithms: symmetric key algorithms and asymmetric key algorithms.
Symmetric key algorithms use an identical cipher key for both encrypting by the sender of the communication and decrypting by the receiver of the communication. Symmetric key cryptosystems are built on the mutual trust of the two parties sharing the cipher key to use the cryptosystem to protect against distrusted third parties. The best known symmetric key algorithm is the National Data Encryption Standard (DES) algorithm first published by the National Institute of Standards and Technology. See Federal Register, Mar. 17, 1975, Vol. 40, No. 52 and Aug. 1, 1975, Vol. 40, No. 149. The sender cryptographic device uses the DES algorithm to encrypt the message when loaded with the cipher key (a DES cipher key is 56 bits long) for that session of communication (the session key). The recipient cryptographic device uses an inverse of the DES algorithm to decrypt the encrypted message when loaded with the same cipher key as was used for encryption. However, the adequacy of symmetric key cryptosystems in general has been questioned because of the need for the sender and the recipient to exchange the cipher key over a secure channel to which no unauthorized third party has access, in advance of the desired communications between the sender and recipient. This process of first securely exchanging cipher keys and only then encrypting the communication is often slow and cumbersome, and is thus unworkable in situations requiring spontaneous or unsolicited communications, or in situations requiring communications between parties unfamiliar with each other. Moreover, interception of the cipher key by an unauthorized third party will enable that party to eavesdrop on both ends of the encrypted conversation.
The second class of cryptographic algorithms, asymmetric key algorithms, uses different cipher keys for encrypting and decrypting. In a cryptosystem using an asymmetric key algorithm, the user makes the encryption key public and keeps the decryption key private, and it is not feasible to derive the private decryption key from the public encryption key. Thus, anyone who knows the public key of a particular user could encipher a message to that user, whereas only the user who is the owner of the private key corresponding to that public key could decipher the message. This public/private key system was first proposed in Diffie and Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, November 1976, and in U.S. Pat. No. 4,200,770 (Hellman et al.), both of which are hereby incorporated by reference.
An early type of asymmetric key algorithm allows secure communication over an insecure channel by interactive creation by the communicating parties of a cipher key for that session of communication. Using the asymmetric key algorithm, two interacting users simultaneously and independently generate a secure cipher key that cannot be deduced by an eavesdropper and that is to be used symmetrically to encode that session of communications between the users. This interactive method of generating a secure cipher key was described by Diffie and Hellman in their 1976 paper. Under this prior art method, known as the Interactive Diffie-Hellman scheme, shown in FIG. 2, each of the two users A,B randomly chooses a secret number 21,22 and then computes an intermediate number 23,24 using two publicly-known numbers and the secret number 21,22 chosen by that user. Each user next transmits the intermediate number 23,24 to the other user and then computes the secret (symmetric) cipher key 25 using his own secret number 21,22 and the intermediate number 24,23 just received from the other user. The interactively generated cipher key 25 is then used symmetrically by both users as a DES or other symmetric cipher key to encrypt and decrypt that session of communications over an otherwise insecure channel in the manner of symmetric key algorithm communications. This interactive process requires only a few seconds of real time, and all digital communications, including digitized sound or video transmissions, in a particular session can be encrypted merely by pushing a button at the outset of a session to initiate the interactive key exchange process. Because all the numbers chosen in the Interactive Diffie-Hellman key generation scheme are very large, the computations are infeasible to invert and the secret cipher key cannot be computed by an eavesdropper, thus preserving the privacy of the communication. Because the computations are infeasible to invert, each user knows that any communication received using this algorithm was not altered and could have been sent only by the other user, thus preserving the integrity and authenticity of the communication. This interactive key exchange method, however, requires the parties to interact in real time in order to create the cipher key and may not be useful for unsolicited communications or unfamiliar parties. In particular, the Interactive Diffie-Hellman key exchange scheme does not work for store-and-forward electronic-mail style messaging or for long-term storage of documents in an electronic data storage system, because the recipient is not on-line to negotiate the session key.
A modified, non-interactive form of the Diffie-Hellman scheme, known as Certified Diffie-Hellman, can be used when the communicating parties are not on-line together. The initial, certification step of the Certified Diffie-Hellman session key generation scheme is shown in FIG. 3. One user, the recipient-to-be, randomly chooses a secret number 31 (his private key) and then computes an intermediate number 33 using two publicly-known numbers 32 and the secret number 31 chosen by that user. That user then sends proof of identification along with the intermediate number and the two public numbers, which numbers together form his public key 34, to a certifying authority that then issues a public key certificate 35 digitally signed 36 by the issuing certifying authority binding the user's identity to the user's Diffie-Hellman public key information 34. The public key 34 publicized by that user remains the same until he decides to rekey and choose another private key 31. Messaging using the Certified Diffie-Hellman method is shown in FIG. 4. In order to transmit a message to that user, a sending user first obtains the receiving user's certificate 35 and verifies the certifying authority's signature 36. The sender next computes the session key 42 for that communication session using the recipient's intermediate number 33 (from the recipient's certificate) and the sender's own secret number 41 (his private key), which he chooses at random. The sender then encrypts a message 43 using the session key 42 and places his own intermediate number 40 unencrypted at the head of the communication. Upon receiving the communication, the recipient computes the session key 42 using the sender's unencrypted intermediate number 40 and his own secret number 31 (or private key), and then uses the session key 42 to decrypt the message 43. As with the Interactive Diffie-Hellman scheme, the session key generated in the Certified Diffie-Hellman scheme is then used by both parties to encrypt and decrypt communications during that session over an otherwise insecure channel using a conventional symmetric algorithm, such as DES. The Certified Diffie-Hellman scheme, however, requires that a trusted entity or a certifying authority sign the receiving user's public key certificate so that a sending user can trust that the information contained within is correct. In addition, the private key randomly chosen by the sender, with which he computes both the session key and the intermediate number for that communication, must not be identical to the private key that is connected to the sender's own public key certificate; in order to avoid others learning his permanent private key numbers (corresponding to the public key numbers that have been certified), the sender should keep them distinct from any ephemeral private keys or intermediate numbers that are generated only for specific messages.
Another asymmetric key algorithm, named the RSA algorithm after the inventors Rivest, Shamir and Adleman, is described in U.S. Pat. No. 4,405,829 (Rivest et al.), which is hereby incorporated by reference, and involves the difficulty of factoring a number that is the product of two large prime numbers. As with the Interactive Diffie-Hellman scheme, the RSA algorithm is relatively straightforward to compute but practically infeasible to invert. Thus, it is not feasible to derive the private key from the public key and, in this way, the privacy of the communication is preserved. Once a message is encrypted with the public key using the RSA algorithm, only the private key can decrypt it, and vice versa. As with the Certified Diffie-Hellman scheme, the RSA algorithm requires a trusted entity to certify and publicize the users' public keys. In contrast to both Diffie-Hellman schemes, however, the RSA algorithm does not itself generate a "session key" to be used symmetrically by the parties. Instead, the public encryption key for a particular user directly encrypts communications to that user and that user's private decryption key decrypts those communications encrypted with the user's public key. In this way, the RSA algorithm is a pure asymmetric key algorithm.
However, because the RSA algorithm is complex and involves exponentiation of the message by very large numbers, encrypting or decrypting a message of even moderate length using the RSA algorithm requires a great deal of time. Thus, it is much simpler, faster and efficient to use the RSA asymmetric algorithm to transport a DES cipher key for use in a symmetric algorithm. This prior art mode of operation is known as RSA key transport and is shown in FIGS. 5 and 6. For example, referring to FIG. 5, a user could generate a random DES key 51 and encrypt a message 52 with that DES key. The user would then encrypt the DES key 51 with an intended receiving user's public RSA encryption key 53 and transmit the DES-encrypted message 54 along with the RSA-encrypted DES key 55 to the receiving user. After receiving the transmission, as shown in FIG. 6, the recipient decrypts the DES key 51 using his private RSA decryption key 56 and uses that DES key 51 to decrypt the message 52. Because the DES algorithm requires much less time and expense to compute than does the RSA algorithm, the symmetric DES key is used to encrypt and decrypt the actual message, while the asymmetric RSA keys are used to encrypt and decrypt the symmetric DES key.
The RSA public/private key cryptosystem also provides for a digital "signature" that is both message dependent and signer dependent, and can be used to certify that the received message was actually sent by the sender and that it was received unaltered. RSA digital signature is based on the additional property of RSA that, in addition to allowing the user's private key to decrypt only those communications encrypted using that user's public key, permits a user's private key to encrypt messages that can be decrypted only by that user's public key. Because only the user has the private key, use of the private key to encrypt allows for proof of origin that can be verified by anyone with access to the user's public key. In practice, the sender first uses his private key to encode the message text into a signed message, which could be decrypted by anyone but could have come only from the sender. If desired, the sender may then optionally use the recipient's public encryption key to encipher the signed message to be transmitted. Upon receipt of the ciphertext, the recipient decrypts the ciphertext with his private decryption key, if necessary, and decodes the signed message with the sender's public encryption key. Because only the sender knows his unique private key, only the sender could have sent the particular "signed" message; the signature thus verifies the identity of the sender. Also, because the recipient has only the sender's public key, the sender cannot claim that the recipient or an unauthorized third party altered or fabricated his message; the signature thus prevents repudiation of the message by the sender. Furthermore, because only the sender's private key transforms the original message and only the sender knows his unique private key, neither the recipient nor an unauthorized third party could have altered the message; the signature thus certifies the integrity of the message.
The RSA algorithm also provides for another type of digital signature that uses a hashing function to create a short message digest that is unique to each document. FIGS. 7 and 8 show RSA signature creation and RSA signature verification, respectively, using a hashing function. A hashing function is another complex mathematical algorithm that is "one-way," i.e. so that it is infeasible to reconstruct the document from the hash result, and is "collision-free," i.e. so that it is infeasible to produce another document that will hash to the same digest. As shown in FIG. 7, the sender first passes the message 72 through a hashing algorithm 73 to produce the message digest 74 and then encrypts the digest with his RSA private key 75, forming a compact digital signature 76 that is attached to the message 72. After receiving the transmission of the message 72 and the message digest 76, as shown in FIG. 8, the recipient decrypts the sender's RSA encrypted message digest 76 (the digital signature) using the sender's RSA public key 77. The recipient also uses the same hashing algorithm 73 to produce a message digest 74 from the received message. The two message digests resulting from the two transformations performed by the recipient should be identical, thus verifying that the message was signed by the sender.
Another system of digital signature, called DSA for Digital Signature Algorithm, may also be used for sender verification. The DSA Algorithm was disclosed in U.S. patent application Ser. No. 07/738,431, which is hereby incorporated by reference in its entirety. The DSA Algorithm has properties that are similar to those of the RSA signature algorithm in that the sender passes the message through a hashing algorithm to produce a message digest and then encrypts or signs the message digest using his private key; the recipient verifies the encrypted digest using the sender's public key. However, unlike the RSA signature algorithm that returns the original message digest when the recipient decrypts the signature block, the DSA verification algorithm results only in a positive confirmation of the validity of the signature; communications encrypted using an intended recipient's public key cannot later be recovered by decryption with the recipient's corresponding private key. For this reason, the DSA algorithm may be used quite capably for digital signatures, but not for key transport or for direct message encryption.
In order for the public/private key system to operate efficiently, users must trust a centralized key certifying authority to be responsible for publicizing and updating a directory of public encryption keys. The key certifying authority must be trusted by all users, both senders and recipients, to distribute the correct public keys for all users so that no messages are transmitted to unintended recipients. To this end, as discussed above and elaborated below, the certifying authority would distribute each user's name and public encryption key information, and would affix its own digital signature to the distributed information in order to certify the correctness of the information. However, when more than one entity, or a hierarchy of entities, is involved in the certification process, there are several different methodologies or "trust models" for determining how a user will process the certificates. The three main models are (1) a pure hierarchical model, (2) a model using cross-certification between multiple hierarchies, and (3) a "local trust" model. These models are described in detail in the standards document American National Standard X9.30, "Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry: Part 3: Certificate Management for DSA" (American Bankers Assn., Washington, D.C., 1992), which is hereby incorporated by reference in its entirety. Although there is not yet a general consensus as to which of the above-mentioned trust models is best, it is assumed throughout this disclosure that an appropriate, generally accepted certification trust model will be established and adhered to whenever certificates issued by more than one entity are involved.
The public/private key system described above takes into account the privacy interests of the users who wish to transmit and receive communications privately. In addition, however, there are also the law enforcement and national security interests of governments to be considered. The ability of the government to monitor or eavesdrop on otherwise private electronic transmissions for law enforcement and national security purposes must be preserved so that suspected criminals, terrorists and foreign spies are not permitted to conspire beyond the reach of the law. Whereas telephone communications can be monitored through wiretapping, cryptographic algorithms make the enciphered data unable to be deciphered even by powerful code-breaking computers. The increase in the volume and percentage of digital and digitized transmissions encrypted with advanced algorithms will, therefore, serve to frustrate and thwart the lawful government electronic surveillance of these communications, especially if cryptographic devices are widely implemented in telephones, computers, facsimile machines and all other data processing equipment.
One way to enable the government or other authorized investigators to monitor communications of suspected criminals is to require all users of cryptographic communications to escrow their private decryption keys with either a private authority or the government, i.e. allow either the private authority or the government to be the trusted custodian of the users' private decryption keys. When necessary for surveillance, the government then will have access to or will be able to gain access to the private keys in order to monitor all encrypted communications. This method, however, is unworkable because it contains insufficient safeguards against abuse by the government of the private decryption keys and against possible leaking of the private decryption keys to unauthorized third parties either by theft from the government or the private authority or by corruption of government or private authority personnel.
Another method of escrowing private decryption keys to preserve both user privacy interests and law enforcement security interests is by using a system such as the method described in "Fair Public Key Cryptosystems," proposed by Silvio Micali at CRYPTO 92 in March 1993 and published by the Laboratory for Computer Science of the Massachusetts Institute of Technology on Oct. 13, 1993, and in U.S. Pat. No. 5,276,737, both of which are hereby incorporated by reference. By this method, shown in FIGS. 9-11, a user who wishes to certify his public key for encryption purposes must escrow his private key in the following manner. As shown in FIG. 9, the user first breaks his private key 91 into several "pieces" 92, each of which can be individually verified 90 to be a valid part of the complete private key 91. The private key can be reconstructed only with knowledge of all the pieces or some specified number of them. The user then sends 93 each piece to a different escrow agent or agency 94, who, as shown in FIG. 10, verifies 95 the piece as a correct part of the private key 91 using a special algorithm and communicates this verification 96 to a master escrow center. Referring to FIG. 11, after receiving verification 96,97 that each piece of the private key is correct, the master escrow center can then issue a certificate 98 for the user's public key 99, allowing it to be used in a privacy system with the assurance that, if need be and pursuant only to a warrant or court order, law enforcement agencies will be able to obtain the secret pieces of the private key from the user's chosen escrow agents, recombine them and monitor the communications of that user. By this system, users can be assured of the privacy of their encrypted transmissions, and government can be assured of its ability to gain access to encrypted transmissions upon a showing of need. Because no one entity normally ever has access to the complete private key and because the user chooses entities that he trusts, the chances of unlawful or corrupt actions are greatly reduced. Also, because a wider range of entities would be eligible as escrow agents, the chances of simultaneously compromising all the escrow agents, and thereby disrupting all trusted commerce, is even further reduced.
The master escrow center, as a trusted authority certifying the authenticity of the user's public key, periodically issues a publicly-available certificate attesting or notarizing the connection between the public encryption key and its owner's identifying information. The certificate of authenticity assures the sender that transmissions to that named public key user will in fact be received and read only by the intended recipient. The certificate is usually in an internationally recognized electronic format, such as the one specified in CCITT Recommendation X.509 and issued as an international standard by the International Standards Organization (ISO). An example of a public encryption key escrow certificate format is shown in FIG. 12. The certificate contains, among other things, the name of the organization or key management center that created the certificate (the issuer) 121, the owner's public key 122, the owner's identifying information 126, a certificate serial number 123, and validity starting and ending dates 124. The issuer's digital signature 125 "seals" the certificate and prevents its alteration.
The U.S. government, however, has proposed as a government (and possible industry) standard another method to enable it to escrow private decryption keys and to monitor communications. The U.S. government has developed a microcircuit, called the "Clipper chip," that can be built into government and commercially-produced telephones and computer devices. The Clipper chip is a low-cost chip that may be used for bulk encryption and key management; the Capstone chip is a more advanced version of the Clipper chip that adds digital signature and message digest capabilities. Like other encryption systems, the Clipper chip uses a symmetric encryption algorithm, albeit a classified algorithm called Skipjack, that scrambles telephone and digital computer data communications in a manner similar to DES, but using an 80-bit key. Each Clipper chip has a unique serial number, a Clipper family key common to all Clipper chips and its own symmetric private device key that will be needed by authorized government agencies in order to decode messages encoded by a device containing the chip. When the device containing the chip is manufactured, the unique private device key will be split into two components (called "key splits") and deposited separately with two key escrow data bases or agencies that will be established within the government. Law enforcement agents can gain access to these private device keys by obtaining a warrant or other legal authorization to wiretap or monitor the communications and by presenting the warrant to the two escrow agencies.
When users of Clipper chip devices wish to communicate, they first agree on a symmetric session key with which to encrypt the communications. Any method of deriving the symmetric session key, such as Interactive Diffie-Hellman key derivation process, and any method of transporting the DES session key between users, such as RSA transport, may be used. At the start of each communication, each user sends to the other a Law Enforcement Access Field (LEAF) that contains enough information to allow law enforcement agents to wiretap or monitor the communication. The believed format of the Clipper LEAF is shown in FIG. 13 (note that because the precise details of the LEAF format, creation and verification are currently classified "secret" by the U.S. government, this discussion and FIG. 13 are both somewhat speculative). To form the LEAF, the session key is first encrypted using the private device key; then the device-key-encrypted session key, the sender device's serial number and a checksum (a verifying value) of the original unencrypted session key are together encrypted with the Clipper family key to complete the LEAF. The message is then encrypted using the chosen session key. The session-key-encrypted message and the family-key-encrypted LEAF are together transmitted to the recipient. Upon receiving the communication, the receiving user first loads the received LEAF into his Clipper chip in order to check whether the LEAF is valid and whether the session key encrypted within the LEAF matches the session key previously received. If the LEAF is valid, the Clipper chip will decrypt the message with the chosen session key that was previously received.
A law enforcement agent lawfully wiretapping or monitoring the communication, however, does not know the session key and thus must first decrypt the LEAF in order to obtain the session key. The agent intercepts the desired LEAF, decrypts it using the Clipper family key and then presents the chip serial number from the LEAF and a court-ordered warrant or other legal authorization to the two government escrow agents, receiving in return the two key splits of the wire-tapped user's private device key. The agent combines the two escrowed device key components and uses the resulting device key to decrypt the device-key-encrypted session key from the LEAF. The session key can then be used to decrypt the actual messages from the communications. The requirement that the sender and recipient each create a LEAF and validate the other's LEAF insures that law enforcement agents will have a reasonable chance at intercepting the LEAF, since each LEAF is expected to pass between the users over the same communications medium. Further, it allows law enforcement to selectively monitor only one suspected user by decrypting the LEAF generated by that user, regardless of which user originated the communication.
Unfortunately, there are many technical problems with the government's Clipper chip proposal, mostly stemming from the fact that the private keys to be escrowed are permanently embedded in the Clipper chips during manufacture. Because the private encryption key for a particular device is burned into the chip and cannot be changed, the chip and probably the entire device that contains it must be discarded if compromised. It is preferable for the user of a particular device to be able to rekey, reescrow and recertify the device at will if compromise is suspected or at regular intervals to avoid potential compromise. In addition to the inability of the user to rekey and reescrow, the user of the Clipper device has no choice of the number or the identities of the key escrow agents employed by the government to safeguard his private key. Instead, the private key splits are deposited in two escrow data bases or agencies established by the government. Users may not trust the Clipper chip devices due to the risk that the government may have complete access to any transmission or transaction through the device, access that could be abused or corrupted. Users may also desire that their keys be escrowed with more trustees than the government provides, in order that their private keys will be more secure. If the concept of key escrow is to have significance, each user must be able to choose his own trustees with whom to escrow his private keys, based upon the level of trust desired.
Also, it is believed that the government Clipper system allows users to communicate only symmetrically and in real time, and does not provide any direct support for store-and-forward electronic-mail type messaging. Prior to encrypting communications, the sender and recipient must first agree on a symmetric session key with which to encrypt the communications. Typically, this key exchange is done using the Interactive Diffie-Hellman scheme, the only key exchange method believed to be supported by the Clipper chip. Thus, unless they wish to arrange their own key management system, users are restricted to simultaneous, interactive communications, such as real-time voice or facsimile communications. In order to use store-and-forward electronic-mail type messaging, however, a user must be able to access the intended recipient's public key, such as by using a Certified Diffie-Hellman or a certified RSA key transport scheme, even if the intended recipient is not available for an interactive on-line communication. Because it is believed that the government's Clipper system does not facilitate this, store-and-forward messaging is difficult. The government's proposed standard system thus may tend to limit the communications capabilities of users to on-line interaction.
Moreover, under the government system, the users' employers have no access to the encrypted data or transmissions of their employees. Employers, on whose behalf the employees are developing, communicating or transmitting confidential or proprietary data, must retain the right to gain access to their employees' data or transmissions. Many situations could arise wherein encrypted information would be available only to the specific employees directly engaged in using the cryptographic systems and not to the management or boards of directors who are responsible for those employees and who own the corporate data resources. By encrypting data or communications, employees could develop or appropriate for themselves new programs, products and technologies or could conduct illegal activities and transactions, all without their employers' knowledge. Also, movement or reorganization of staff and changes of storage facilities could result in the loss of massive amounts of information that was important enough at the time of encryption to be encrypted. See Donn B. Parker, "Crypto and Avoidance of Business Information Anarchy" (Invited speaker presentation at First Annual AC Conference on Computer and Communication Security, Nov. 3-5, 1993, Reston, Va.), which is hereby incorporated by reference. Aside from the originator of the data or the sender of the transmissions, the Clipper chip allows only the government to have access to the transmissions. Although employers could seek a court-issued warrant in order to monitor their employees' communications, employers may wish to monitor their internal officers in a more discreet fashion than by initiating a federal investigation any time suspicion is aroused.
Furthermore, mandating a classified algorithm that is embedded in the chip and thus available only in hardware and only from government-authorized chip manufacturers injects the government into the rapidly changing and highly competitive market for communications and computer hardware. A government agency or a government-authorized manufacturer may be unable or unwilling to design and market advanced devices and products specially tailored for particular companies as would a private manufacturer. If the government authorizes only certain vendors to manufacture the chips having the classified algorithm, competition will be reduced and the technology will be prevented from being incorporated into other products. Additionally, because the details of the Skipjack algorithm have not been made public, suspicion has arisen as to whether the algorithm could be insecure, due either to an oversight by its designers or to the deliberate introduction by the government of a trap door. An important value of cryptosystem design is that the privacy and security of the encrypted messages should depend on the secrecy of the relevant key values, not on the secrecy of the system's details.
It is, therefore, desirable to provide a commercial key escrow system that uses published algorithms, operates in a manner that inspires the users' trust and confidence, and solves the problems posed by national security and law enforcement demands.
It is also desirable to provide a commercial key escrow system that uses private keys that may be changed by the user at will or at regular intervals.
It is further desirable to provide a commercial key escrow system that allows the user to choose the key escrow agents to safeguard his private key or the separate pieces of his private key.
It is still further desirable to provide a commercial key escrow system that contains safeguards against unrestricted government access, yet allows access by the employers of the users or by the countries of which the foreign users are citizens.
It is also desirable to provide a commercial key escrow system that offers an alternative to the U.S. Government's proposed Clipper chip system.